Ship Faster. Build Smarter. A production-ready multi-tenant B2B SaaS starter that handles the hard parts—domain isolation, tenant routing, RBAC, and billing—so you can focus on what makes your product unique.
Live demo available at marketing-app.com.
| Requirement | Description |
|---|---|
| Vercel | Sign up (free tier) — for deployment |
| Supabase | Sign up (free tier) — for auth, database, edge functions |
| Resend | Sign up (free tier) — for transactional emails |
| Two Domains | Marketing domain + protected domain with wildcard support |
| Node.js 20+ | Download — for local development |
| pnpm | npm install -g pnpm — for local development |
Click the button below to clone the repo and create the Marketing App project. Enter your app identity values when prompted.
Note: The deploy will succeed, but the app will show a "Server Error" when opened — this is expected since Supabase isn't configured yet. The repo is now cloned to your GitHub.
- Go to vercel.com/new and paste the GitHub repo URL created in Step 1
- Click Edit next to Root Directory, and set it to
apps/protected - Copy/paste the env vars below into the environment variables section
NEXT_PUBLIC_MARKETING_DOMAIN=''
NEXT_PUBLIC_APP_DOMAIN=''
NEXT_PUBLIC_APP_NAME=''
- Click Deploy (app will show "Server Error" until Supabase is configured)
Important
Building a multi-tenant B2B SaaS from scratch means weeks (or months) implementing:
| Challenge | Solution |
|---|---|
| Tenant isolation & subdomain routing | Middleware-based rewriting with RLS |
| Auth flows with session management | Supabase Auth with custom JWT claims |
| Role-based access control (RBAC) | 5-tier hierarchy + 41 granular capabilities |
| Organization settings & branding | Complete org management with logo upload |
| Billing integration & tier management | Stripe subscriptions with usage enforcement |
| Email infrastructure | Resend + Edge Functions for transactional emails |
This template gives you all of that, production-ready. Start building features, not infrastructure.
🏗️ Architecture
Turborepo monorepo with two Next.js apps + shared packages:
| App/Package | Purpose |
|---|---|
apps/marketing |
Public-facing site (SEO-friendly, cookie-simple) |
apps/protected |
Tenant workspace (hardened, tenant-aware) |
packages/ui |
Shared UI components + utilities |
packages/supabase |
Shared Supabase client helpers |
Domain isolation keeps marketing and tenant apps completely separate, avoiding cross-app cookie/session headaches.
🔐 Authentication & Authorization
- Supabase Auth with custom JWT claims hook
- Tenant-aware sessions — JWTs enriched with subdomain/org/role/capabilities
- RBAC with capabilities — Fine-grained permissions beyond roles
- Roles:
owner,superadmin,admin,member,view-only - Capability-driven checks for UI + server actions
- Per-org capability overrides (Business+ tier)
- Roles:
- Row-Level Security (RLS) — Database-level tenant isolation
🚀 Subdomain Routing
Clean URLs with smart routing:
tenant.yourdomain.com/dashboard → /s/[subdomain]/dashboard (internal)
- Server-side subdomain validation (tenant or active reservation)
- Non-subdomain traffic redirects to marketing site
- Users never see the internal routing structure
💾 Backend & Database
- Supabase-first — RLS-enabled schema with policies
- Complete SQL schemas — Tables, functions, RLS policies, views, seed data
- Server Actions — Type-safe CRUD with RLS enforcement
- Org/tenant mapping — Memberships, projects, invitations, and more
📧 Email Infrastructure
- Resend integration via Supabase Edge Functions
- Email templates for auth flows (verification, invitations, welcome)
- Client hooks to trigger emails from your app
🎨 Tenant Features
- Organization branding — Logo upload, custom settings
- Onboarding flow — Complete signup → verification → workspace setup
- Org settings — Profile management, member invitations
💳 Billing (Optional)
- Stripe integration — Webhooks, subscriptions, checkout
- Tier-aware features — Entitlements, limits, upgrade flows
- UI gates — "Requires tier" components
🔍 Observability & Testing
- Sentry — Error tracking wired in
- Vitest — Test setup ready to go
| Category | Technology | Version |
|---|---|---|
| Monorepo | Turborepo | ^2.5.6 |
| Framework | Next.js | ^16.1.5 (App Router) |
| UI | React/ReactDOM | ^19.2.3 |
| Styling | Tailwind CSS | ^4.1.18 |
| Components | shadcn-style | via @workspace/ui |
| Backend | Supabase | ^2.92.0 |
| Resend | ^4.0.0 |
|
| Billing | Stripe | ^20.0.0 |
| Monitoring | Sentry | ^10.36.0 |
| Testing | Vitest | ^3.2.4 |
├── apps/
│ ├── marketing/ # Public marketing site + tenant discovery + signup
│ └── protected/ # Tenant app (subdomain routing + authenticated workspace)
├── packages/
│ ├── ui/ # Shared UI components + utilities
│ ├── supabase/ # Shared Supabase client helpers
│ ├── eslint-config/ # Shared ESLint config
│ └── typescript-config/ # Shared TypeScript config
├── supabase/
│ ├── schemas/ # SQL schema files (tables, functions, RLS, seed)
│ └── functions/ # Edge functions (email hooks)
└── docs/ # Setup, architecture, DB, deployment guides
| Guide | Description |
|---|---|
| Getting Started | Complete setup guide — get running in ~15-30 min |
| Architecture | Multi-tenant routing, domain separation, RBAC patterns |
| Database | Schema reference + RLS policies |
| Vercel Deployment | Production setup (domains, DNS, env vars) |
| Stripe | Optional billing integration |
| Contributing | How to contribute |
Database & Migrations
SQL schema files in supabase/schemas/ provide:
- Tables for orgs, members, projects, invitations
- RLS policies for tenant isolation
- Functions for auth, capabilities, and business logic
- Views for common queries
- Seed data for development
Email System
Transactional emails via Supabase Edge Functions + Resend:
- Auth emails (verification, password reset)
- Invitations and welcome emails
- Custom email templates
See supabase/functions/send-email for implementation.
Server Actions
Type-safe CRUD using Next.js Server Actions:
- Located in
apps/protected/app/actions/*andapps/marketing/app/actions.ts - Uses
@workspace/supabase/serverfor RLS-enforced queries - All database operations run server-side
RBAC & Capabilities
Capabilities-first approach:
- Permissions evaluated by capability keys (not just roles)
- Server actions check capabilities + RLS
- Per-org capability customization (Business+ tier)
MIT — Feel free to use this for your projects!